Date: Tue, 1 Apr 2003 11:03:05 -0800 From: "Sam Leffler" <sam@errno.com> To: "Mailing List FreeBSD Network" <freebsd-net@freebsd.org>, "Eric Masson" <e-masson@kisoft-services.com> Subject: Re: options FAST_IPSEC & tunnels Message-ID: <05b901c2f881$67e907f0$52557f42@errno.com> References: <86pto6mbxj.fsf@notbsdems.interne.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm using IPSEC tunnels to join different gateways over the Internet.
>
> I've made some trials with FAST_IPSEC today (I've received a Soekris
> VPN1201) and i'm facing a problem with incoming packets.
>
> The following code snippet from /sys/netinet/ip_input.c permits
> detunneled packets to flow without being filtered by ipf/ipfw :
>
> #if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
> /*
> * Bypass packet filtering for packets from a tunnel (gif).
> */
> if (ipsec_gethist(m, NULL))
> goto pass;
> #endif
>
> Is there any counterpart for FAST_IPSEC (I've dug thru the code, but no
> luck atm) ?
Wow, someone besides me actually using fast ipsec! :)
Packets are tagged once they've been processed on input. I think you can do
a similar check with something like:
if (m_tag_find(PACKET_TAG_IPSEC_IN_DONE) != NULL)
goto pass;
Long term, I intend is to associate packets with an enc device so there's a
way to identify these packets when writing firewall rules.
Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05b901c2f881$67e907f0$52557f42>